SEC580: Metasploit Kung Fu for Enterprise Pen Testing

Sat, September 10 - Sun, September 11, 2016

As a recent grad, SEC580 is extremely beneficial to learning how systems are compromised and how they should be secured.

K.J. Kennedy, Michigan City PD

SEC580 is an excellent deep-dive into Metasploit. This course is exactly what I needed to get my skills up!

Chris Schultz, Deloitte

Many enterprises today face regulatory or compliance requirements that mandate regular penetration testing and vulnerability assessments. Commercial tools and services for performing such tests can be expensive. While really solid free tools such as Metasploit, are available, many testers do not understand the comprehensive feature sets of such tools and how to apply them in a professional-grade testing methodology. Metasploit was designed to help testers with confirming vulnerabilities using an Open Source and easy-to-use framework. This course will help students get the most out of this free tool.

This class will show students how to apply the incredible capabilities of the Metasploit Framework in a comprehensive penetration testing and vulnerability assessment regimen, according to a thorough methodology for performing effective tests. Students who complete the course will have a firm understanding of how Metasploit can fit into their penetration testing and day-to-day assessment activities. The course will provide an in-depth understanding of the Metasploit Framework far beyond simply showing attendees how to exploit a remote system. The class will cover exploitation, post-exploitation reconnaissance, token manipulation, spear-phishing attacks, and the rich feature set of the Meterpreter, a customized shell environment specially created for exploiting and analyzing security flaws.

The course will also cover many of the pitfalls that a tester may encounter when using the Metasploit Framework and how to avoid or work around them, making tests more efficient and safe.

Course Content Overlap Notice:

There is a small amount of overlap with SEC504 and SEC560 as these two classes cover Metasploit as a topic, but do not dive deep into its capabilities.

Course Syllabus

SEC580.1: Metasploit Kung Fu for Enterprise Pen Testing: Day 1

SANS Security 580 is a hands-on class with many labs. Please, review the laptop requirements before attending class!

Overview

Day 1 of SANS Security 580: Metasploit Kung Fu for PenetrationTesters is designed to help attendees master the most heavily used exploitation framework on the planet and see how they can wield it effectively in professional penetration testing. We analyze some of the most powerful and yet often overlooked capabilities of the framework with numerous exercises that make this class one of the most hands-on courses ever developed by SANS.

In SEC580.1, you will go from zero to exploit and beyond faster than you ever thought possible. For example, after this day of class, you will understand the Ruby foundations of Metasploit and how interacting with these underpinnings will greatly optimize and enhance your testing activities. Further, you will understand how far you can extend your exploitation activities through the effective use of some of the late-breaking features of the amazing Meterpreter. Finally, have you ever wondered how you can compromise an entire Domain from simple Windows system access? After this day you will know exactly how to achieve this kind of result. After all, shell is only the beginning.

CPE/CMU Credits: 6

Topics

A Guided Overview of Metasploit's Architecture and Components

A Deep Dive into the Msfconsole Interface, including Logging and Session Manipulation

Careful and Effective Exploitation

The Ultimate Payload: The Metasploit Meterpreter In Depth

Merciless Pivoting: Routing Through Exploited Systems

Metasploit Sniffing on Exploited Systems

Windows Process Token Manipulation for Fun and Profit

Metasploit's Integration into a Professional Testing Methodology

Automation with Meterpreter Scripts to Achieve More in Less Time with Consistency

It's Not All Exploits - Using Metasploit as a Recon Tool

Port and Vulnerability Scanning with Metasploit, Including Integration with Nmap, Nessus, and Qualys

SEC580.2: Metasploit Kung Fu for Enterprise Pen Testing: Day 2

SANS Security 580 is a hands-on class with many labs. Please, review the laptop requirements before attending class!

Overview

In SANS Security 580.2, we build upon the deep foundations of Day 1 to see how Metasploit can be used within a penetration tester's ecosystem of tools and techniques to attack systems in new and creative ways. We'll analyze the activities of the most effective bad guys to see how they target enterprises via complex and often non-traditional attack vectors so that we can model their behaviors in our penetration testing processes. Client-side attacks launched via email, phishing, and document payload attacks are currently some of the most heavily used attack vectors by the bad guys. They use these techniques because they almost always work. The course shows penetration testers how to wield such attacks with the goal of determining the business implications of vulnerabilities, all with the goal of improving the target organization's security stance.

We'll also cover how Metasploit can effectively integrate with tools like NeXpose, Nmap, and Nessus to manage large scan results to find exactly which system(s) you wish to exploit. We also cover how Metasploit can become a main component of your wireless penetration testing regimen and how Metasploit can be used to attack databases and web applications.

Exploiting the Soft Underbelly of Most Organizations through the Social Engineering Toolkit

Evading Countermeasures to Mimic Sophisticated Attackers

Scripting Up the Meterpreter to Customize Your Own Attacks

Attacking Target Databases to Demonstrate Business Risk Effectively

Metasploit's Myriad of Wireless Features for Attacking Access Points and Clients

Metasploit and the Web: Integration and Astonishing Automation via Metasploit, MySQL, and More!

Additional Information

Laptop Required

To get the most value out of the course, students are required to bring their own laptop so that they can connect directly to the workshop network that we will create. It is the students' responsibility to make sure that the system is properly configured with all drivers necessary to connect to an Ethernet network.

Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class.

Windows

You are required to bring Windows 7 (Professional or Ultimate), Windows Vista (Business or Ultimate), Windows XP Pro, or Windows 2003 or 2008 Server, either a real system or a virtual machine. Windows 7 Home, Windows Vista Home, Windows XP Home, and Windows 2000 (all versions) will NOT work for the class as they do not include all of the built-in capabilities we need for comprehensive analysis of the system.

The course includes a VMware image file of a guest Linux system that is larger than 2 GB. Therefore, you need a file system with the ability to read and write files that are larger than 2 GB, such as NTFS on a Windows machine.

IMPORTANT NOTE: You will also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated.

VMware

You will use VMware to run Windows and Linux operating systems simultaneously when performing exercises in class. You must have either the free VMware Player 2.0 or later or the commercial VMware Workstation 5.0 or later installed on your system prior to coming to class. You can download VMware Player for free at www.vmware.com. Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation from www.vmware.com. VMware will send you a time- limited license number for VMware Workstation if you register for the trial at their Web site. No license number is required for VMware Player.

We will give you a DVD full of attack tools to experiment with during the class and take home for later analysis. We will also provide a Linux image with all of our tools pre-installed that runs within VMware Player or VMware Workstation.

Linux

You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware Workstation or VMware Player. The class does not support VirtualPC or other non-VMware virtualization products.

Mandatory Laptop Hardware Requirements

x86-compatible 1.5 Ghz CPU Minimum or higher

DVD Drive (not a CD drive)

2 Gigabyte RAM minimum or higher

Ethernet adapter

5 Gigabyte available hard drive space

Any Service Pack level is acceptable for Windows XP Pro, 2003, Vista, or Win7

Paranoia is Good

During the workshop, you will be connecting to one of the most hostile networks on planet earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it in the workshop.

By bringing the right equipment and preparing in advance, you can maximize what you'll see and learn as well as have a lot of fun.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Who Should Attend

This class would be essential to any industry that has to test regularly as part of compliance requirements or regularly tests their security infrastructure as part of healthy security practices.

Penetration testers

Vulnerability assessment personnel

Auditors

General security engineers

Security researchers

Prerequisites

A basic understanding of computer fundamentals such as the command line, networking, and TCP/IP networking would be helpful. The requirements would be the same as for SANS SEC560.

What To Take Next?

Author Statement

Metasploit is the most popular free exploitation tool available today. It is in widespread use by penetration testers, vulnerability assessment personnel, and auditors. However, most of its users rely on only about 10 percent of its functionality, not realizing the immensely useful, but often poorly understood, features that Metasploit offers. This course will enable students to master the 10 percent they currently rely on (applying it in a more comprehensive and safe manner), while unlocking the other 90 percent of features they can then apply to make their tests more effective. By attending the course, they will learn how to make a free tool achieve the power of many much more costly commercial tools.

Downloads

Share

"As a SysAdmin, I found this course invaluable. It not only gave me the skills I need to audit my own systems, but also gave me some insight on how to better work with external auditors."Christoper O'Keefe, CPC